Security Vulnerabilities - CVEs Published In April 2021
Discord-Recon is a bot for the Discord chat service. In versions of Discord-Recon 0.0.3 and prior, a remote attacker is able to read local files from the server that can disclose important information. As a workaround, a bot maintainer can locate the file `app.py` and add `.replace('..', '')` into the `Path` variable inside of the `recon` function. The vulnerability is patched in version 0.0.4.
CVSS Score
6.5
EPSS Score
0.007
Published
2021-04-22
Wrongthink is an encrypted peer-to-peer chat program. A user could check their fingerprint into the service and enter a script to run arbitrary JavaScript on the site. No workarounds exist, but a patch exists in version 2.4.1.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-04-22
NVIDIA GPU Display Driver for Windows installer contains a vulnerability where an attacker with local unprivileged system access may be able to replace an application resource with malicious files. This attack requires a user with system administration rights to execute the installer and requires the attacker to replace the files in a very short time window between file integrity validation and execution. Such an attack may lead to code execution, escalation of privileges, denial of service, and information disclosure.
CVSS Score
7.3
EPSS Score
0.001
Published
2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of service, or escalation of privileges. Attacker does not have any control over the information and may conduct limited data modification.
CVSS Score
7.3
EPSS Score
0.0
Published
2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption.
CVSS Score
6.6
EPSS Score
0.001
Published
2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch, contains a vulnerability where the software uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service.
CVSS Score
6.6
EPSS Score
0.0
Published
2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash.
CVSS Score
5.5
EPSS Score
0.0
Published
2021-04-21
Insecure File Permissions exist in Aviatrix Controller 5.3.1516. Several world writable files and directories were found in the controller resource. Note: All Aviatrix appliances are fully encrypted. This is an extra layer of security.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-04-21
Arbitrary File Write exists in Aviatrix VPN Client 2.8.2 and earlier. The VPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-04-21
Magento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9.
CVSS Score
9.1
EPSS Score
0.006
Published
2021-04-21